Hardware firewall runs on NSA technology

[William Knowles <wk () C4I ORG>]

http://www.eetimes.com/story/OEG20001009S0056

By Craig Matsumoto
EE Times
(10/09/00, 4:14 p.m. EST)

SAN MATEO, Calif.  A relationship with the National Security Agency
has netted Marconi Communications the technology to produce a firewall
that is said to run at OC-12 speeds (622 Mbits/second) and to be
undetectable to potential intruders. The technology, licensed from the
NSA and sold back to the agency in product form, is part of a
longstanding relationship between government agencies and Fore Systems
Inc., which Marconi (Pittsburgh) acquired last year.

Marconi showed the SA-400 at the Networld + Interop show in Atlanta
last month. Unlike typical firewalls, which reside in software on a
workstation, the SA-400 is a standalone appliance that sits on the
incoming line and passes traffic through at wire speed, eliminating
the telltale delay and routing of a workstation firewall.

In part, the box achieves that speed because it can handle
asynchronous transfer mode (ATM) traffic natively.

"Most firewalls are done at the IP [Internet Protocol] layer and
higher, because most people's security policy is at the IP
layer," said Matthew Jones, program manager for enterprise ATM at
Marconi. The SA-400 operates by inspecting the IP header and payload
inside the ATM cell, without having to extract the IP information
explicitly.

Jones likened the process to a glass bottle: "You can read the label
and know what's in it without having to taste it," he said. "It's a
pretty neat technology, to actually figure out the IP layer without
going up there."

The SA-400 takes in traffic through two queues able to process two ATM
cells apiece, then uses information at the ATM layer to determine how
a particular frame has been encapsulated. From there, it searches for
specific bits of IP-layer information  source address, destination
address, TCP port and UDP port  implementing policies programmed onto
FPGAs inside the box.

These shortcuts let the SA-400 hit higher speeds than conventional
firewalls, Jones said. "Even with the most sophisticated and
high-performance workstations out there, running a firewall, you're
lucky to get DS-3 [45-Mbit/s] rates," he said.

Plugging the hole


Reading ATM also lets the SA-400 process voice-over-IP packets. With a
software firewall, there isn't time to route voice signals through the
workstation, so a path is created that bypasses the firewall entirely
essentially creating a hole in the firewall. Because the SA-400 can
operate at wire speed, it averts that problem, Jones said.

Hardware-based firewalls didn't become common earlier because silicon
hadn't caught up, Jones said, noting that FPGAs only now are large
enough to handle the processing of IP data streams. In addition, line
rates have now gotten high enough (many corporations now have
high-speed access lines to the Internet) so that the delays of
software-based firewalls are becoming a hassle, he said.

The SA-400 was developed at the NSA's Laboratory of Technology and
Science. But the agency wanted to be able to buy the product
commercially, to keep the price down, Jones said. So, the NSA licensed
the technology to Marconi and acted as consultant in the development
of the SA-400, which Marconi now sells back to the agency.

"Part of their charter is to make the technology commercially
available for use internally," Jones said. "The economics of scale for
federal production just aren't there. We can mass-produce the item and
drive costs down."

The relationship stems from Fore Systems' origins as a government
contractor. In fact, Fore was created through a Navy grant and has
since remained close to the Pentagon and the intelligence community.

Marconi holds unconditional licenses to the NSA's patents on the
traffic-inspection methods used in the SA-400. The company is "kicking
around" ideas for using that technology in other products, including
such possibilities as a firewall integrated into an ATM switch or a
device to sort and prioritize IP-level information in much the same
way as Multi-Protocol Label Switching does, Jones said.

The SA-400 is priced at $15,000 for an OC-3 (155-Mbit/s) version, or
$25,000 for OC-12.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".